Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] chrooted apache
  • From: "Boris B. Zhmurov" <bb@xxxxxxxxxxxxxx>
  • Date: Mon, 08 Nov 2004 20:23:25 +0300
  • Message-id: <418FAB8D.4@xxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, John.

That's my script. I wrote it many times ago. It's ugly, but it work :-)
For Apache+mysql+proftpd+postfix


On 08.11.2004 10:46 you said the following:

| how can apache get chrooted?
| What should i copy to the chrooted area?
|
| Any good howto in this issue?


- --
Boris B. Zhmurov
mailto: bb@xxxxxxxxxxxxxx
"wget http://kernelpanic.ru/bb_public_key.pgp -O - | gpg --import"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBj6uNmEQixi5w37YRAp3xAJ0a9vMzRoQGXVJvi1pikHdMd260kgCZAaXQ
B8C9/mtwH0rA5DX7lDB6z8s=
=3v5v
-----END PGP SIGNATURE-----
#!/bin/sh

WWWROOT=/wwwroot

cd $WWWROOT
mkdir -p usr/bin usr/lib usr/sbin lib lib/tls etc tmp dev sbin var var/log var/run var/spool
ln -s usr/bin bin
chmod 777 tmp
chmod +t tmp

### MAKING /DEV/NULL

mknod -m 666 dev/null c 1 3

### MAKING TIMEZONE
cd $WWWROOT
mkdir -p usr/share/zoneinfo
cp -pi /usr/share/zoneinfo/MET usr/share/zoneinfo/
cd etc
ln -s ../usr/share/zoneinfo/MET localtime

### MAKING LOCALE

set |grep LANG
LANG=en_US
export LANG=en_US
mkdir -p $WWWROOT/usr/share
mkdir -p $WWWROOT/usr/share/locale
cd $WWWROOT
cp -a /usr/share/locale/* usr/share/locale/


### MAKING CHROOTED SYSTEM

cp -pi /lib/libpopt* /lib/libterm* /lib/ld-linux* /lib/libdl* /lib/libpam* /lib/libm* /lib/libcrypt* /lib/libdb* /lib/libpcre* /lib/libgcc_s* lib/
cp -pi /usr/lib/libpopt* /usr/lib/libuser* /usr/lib/libcrypto* /usr/lib/libdb* /usr/lib/libc.* /usr/lib/libg* /usr/lib/libres* /usr/lib/libnsl* /usr/lib/libz* /usr/lib/libssl* /usr/lib/libsasl2* /usr/lib/libldap* /usr/lib/liblber* /usr/lib/libpcre* /usr/lib/libstdc++* /usr/lib/libncurses* usr/lib/
cp -pi /lib/tls/libm* /lib/tls/libpthread* /lib/tls/librt* /lib/tls/libc.so* lib/tls/
cp -pi /lib/libnsl* /lib/libresolv* /lib/libutil* lib/
cp -a /lib/i686/ lib/
cp -fa /usr/share/locale/ usr/share/
cp -pi /bin/ls /bin/sh /bin/bash /bin/cat /bin/grep /bin/find /bin/uname /bin/egrep /bin/vi /bin/touch /bin/echo /bin/rm /bin/mv /bin/cp bin/
cp -pi /bin/chmod /bin/chown /bin/date /bin/gawk /bin/mkdir /bin/pwd /bin/sed /bin/sort /bin/awk /bin/hostname bin/
cp -pi /usr/bin/which /usr/bin/nohup /usr/bin/tee /usr/bin/whereis usr/bin
cp -pi /usr/bin/cmp /usr/bin/clear /usr/bin/diff usr/bin
chroot $WWWROOT /bin/ls -l /


### PREPARING a USER and the Naming Service

cd $WWWROOT
touch etc/passwd etc/group etc/shadow
cat /etc/passwd |grep www >> etc/passwd
cat /etc/passwd |grep nobody >> etc/passwd
cat /etc/passwd |grep ftp >> etc/passwd
cat /etc/group |grep www >> etc/group
cat /etc/group |grep nogroup >> etc/group
cat /etc/group |grep ftp >> etc/group
cat /etc/shadow |grep www >> etc/shadow
cat /etc/shadow |grep nobody >> etc/shadow
cat /etc/shadow |grep ftp >> etc/shadow
echo 'int main(int argc, char *argv[]) { return(1); }' > /tmp/False.c
cc -o $WWWROOT/usr/bin/False /tmp/False.c
cc -o $WWWROOT/usr/bin/false /tmp/False.c
chmod 111 usr/bin/*
cp -pi /lib/libnss* lib/

echo 'passwd: files' >> etc/nsswitch.conf
echo 'shadow: files' >> etc/nsswitch.conf
echo 'group: files' >> etc/nsswitch.conf
echo 'hosts: files dns' >> etc/nsswitch.conf

cat /etc/resolv.conf >> etc/resolv.conf
cat /etc/services >> etc/services
cp -f /etc/host.conf /etc/hosts etc/


### INSTALLING APACHE

mkdir -p $WWWROOT/usr/local
cp -a /usr/local/apache $WWWROOT/usr/local/
chown -R www:www $WWWROOT/usr/local/apache/htdocs
chown -R www:www $WWWROOT/usr/local/apache/cgi-bin
cp -pi /usr/local/mysql/lib/mysql/lib* usr/lib/
mkdir -p $WWWROOT/usr/local/apache/conf/vhosts
cd usr/lib/
ln -s libmysqlclient.so.10 libmysqlclient.so.12


### INSTALLING PERL5

cd $WWWROOT
cp -a /usr/lib/perl5 usr/lib/perl
cd usr/lib
ln -s perl perl5
cd $WWWROOT
cp -p /usr/bin/perl usr/bin/
cp -p /usr/bin/perl5* usr/bin/


### Chroot postfix

cd $WWWROOT

cp -fa /etc/postfix etc/
cp -pif /usr/bin/newaliases usr/bin
cp -fa /usr/lib/postfix usr/lib/
cp -pif /usr/sbin/*post* /usr/sbin/smtp* /usr/sbin/qmqp* usr/sbin/
cp -pif /usr/lib/libpostfix-global.so.1 /usr/lib/libpostfix-util.so.1 usr/lib/
if [ -x "/usr/sbin/sendmail.postfix" ] ; then cp -pif /usr/sbin/sendmail.postfix usr/sbin/sendmail
else cp -pif /usr/sbin/sendmail usr/sbin/
fi
cp -fa /usr/share/doc/postfix* usr/share/doc
cp -fa /var/spool/postfix var/spool/
cp -pif etc/nsswitch.conf etc/localtime etc/resolv.conf var/spool/postfix/etc/
cat /etc/passwd |grep postfix >> etc/passwd
cat /etc/shadow |grep postfix >> etc/shadow
cat /etc/group |grep postfix >> etc/group
cat /etc/group |grep postdrop >> etc/group
cat /etc/group |grep maildrop >> etc/group
cat /etc/passwd |grep mail >> etc/passwd
cat /etc/shadow |grep mail >> etc/shadow
cat /etc/group |grep mail >> etc/group
mkdir -p var/mail
chmod 770 var/mail

### Create the random devices in the chroot-ed tree

cd $WWWROOT/dev
mknod random c 1 8
mknod urandom c 1 9


### Installing proftpd

cd $WWWROOT
cp -a /usr/local/proftpd/ $WWWROOT/usr/local/


### Installing mysql

cd $WWWROOT
cp -fa /usr/local/mysql usr/local/
cat /etc/passwd |grep mysql >> etc/passwd
cat /etc/shadow |grep mysql >> etc/shadow
cat /etc/group |grep mysql >> etc/group
rm -rf usr/local/mysql/var/*
chroot /wwwroot/ /usr/local/mysql/bin/mysql_install_db
chroot /wwwroot /usr/local/mysql/bin/safe_mysqld --user=root &
chroot /wwwroot/ /usr/local/mysql/bin/mysqladmin -u root password 123
chroot /wwwroot/ /usr/local/mysql/bin/mysqladmin -u root --password=123 shutdown
chown -R mysql:mysql usr/local/mysql/


### Making secure rights to files

cd $WWWROOT
chmod 644 etc/group etc/passwd etc/nsswitch.conf etc/resolv.conf etc/hosts etc/services
chmod 600 etc/shadow
chmod -R 755 lib
chmod 750 sbin/*

chown -R www:www usr/local/apache/
chown root:root usr/local/apache/bin/suexec
chmod 700 usr/local/apache/bin usr/local/apache/conf usr/local/apache/libexec
chmod 600 usr/local/apache/conf/*conf*
chmod 755 usr/local/apache/logs
chmod 100 usr/local/apache/bin/a* usr/local/apache/bin/h* usr/local/apache/bin/r* usr/local/apache/bin/c* usr/local/apache/bin/d* usr/local/apache/bin/l*
chmod 4755 usr/local/apache/bin/suexec

chown -R nobody:nogroup usr/local/proftpd
chmod 755 usr/local/proftpd
chmod 700 usr/local/proftpd/etc usr/local/proftpd/bin usr/local/proftpd/sbin usr/local/proftpd/var usr/local/proftpd/man
chmod 100 usr/local/proftpd/bin/* usr/local/proftpd/sbin/*
chmod 400 usr/local/proftpd/etc/*

chmod 750 usr/sbin/post* usr/sbin/smtp* usr/sbin/sendmail usr/sbin/qmqp*
chmod 2751 usr/sbin/postqueue usr/sbin/postdrop
chmod 640 etc/postfix/*
chmod 600 etc/postfix/prng_exch etc/postfix/sasl_passwd
chmod 750 etc/postfix/post-install etc/postfix/postfix-script
chmod 644 etc/postfix/main.cf

chmod 750 usr/local/mysql/bin/* usr/local/mysql/* usr/local/mysql/sql-bench/* usr/local/mysql/libexec/* usr/local/mysql/mysql-test/*


### Creating startup scripts

echo "#!/bin/sh" >> boot.chroot
echo "" >> boot.chroot
echo "chroot $WWWROOT /usr/local/proftpd/sbin/proftpd" >> boot.chroot
echo "chroot $WWWROOT /usr/local/apache/bin/apachectl startssl" >> boot.chroot
echo "chroot $WWWROOT /usr/sbin/postfix start" >> boot.chroot
echo "chroot $WWWROOT /usr/local/mysql/bin/safe_mysqld --local-infile=0 --safe-show-database --safe-user-create --user=mysql &" >> boot.chroot














< Previous Next >
This Thread
References